Pierluigi Paganini May 01, 2019

The US DHS issued a new Binding Operational Directive (BOD 19-02) instructing federal agencies and departments to patch critical flaws in within 15 days.

The U.S. Department of Homeland Security (DHS) issued a new Binding Operational Directive (BOD 19-02) ordering federal agencies and departments quickly patch serious vulnerabilities in Internet-facing systems.

The BOD 19-02 gives government organizations 15 days to address critical vulnerabilities, while high-severity flaws must be fixed within 30 days.

“Review Cyber Hygiene reports issued by CISA and remediate the critical and high vulnerabilities detected on the agency’s Internet-accessible systems as follows:

• Critical vulnerabilities must be remediated within 15 calendar days of initial detection.
• High vulnerabilities must be remediated within 30 calendar days of initial detection.” reads the BOD.

BOD 19-02 replaces the previous 2015 BOD 15-01 (Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems) that gave the government agencies 30 days to address critical security holes.

Government systems exposed online undergo Cyber Hygiene vulnerability assessment to help agencies identify flaws.

The Cybersecurity and Infrastructure Security Agency (CISA) provides regular reports to government agencies, reporting them the vulnerabilities detected during ordinary assessments.

The new BOD 19-02 also requests the CISA to provide guidance for remediation and share with monthly base information on the detected flaws with the Office of Management and Budget (OMB). Information sharing is essential to profile threats and implement necessary countermeasures.

“In support of BOD implementation, CISA leverages Cyber Hygiene scanning results to identify cross-government trends and persistent constraints, and works with the Office of Management and Budget (OMB) to help impacted agencies overcome technical and resource challenges that prevent the rapid remediation of vulnerabilities. ” reads the BOD 19-02.

The agencies that will not able to address the flaws in the timeframe established by the BOD 19-02 have to submit a remediation plan in three days. The remediation plan includes a detailed report on the constraints prevented the agency from addressing the flaws in time, and of course, provides an estimated completion date.

“The federal government must continue to enhance our security posture, reduce risks posed by vulnerable Internet-accessible systems, and build upon the success of BOD 15-01 by advancing federal requirements for high and critical vulnerability remediation to further reduce the attack surface and risk to federal agency information systems,” the DHS said.

The latest BOD 19-02 directive is a very important directive, however, we have to consider that 15 days is a very long time to wait before fixing flaws in government systems managing critical processes and sensitive data.

Pierluigi Paganini

(SecurityAffairs – DHS, BOD 19-02)

[adrotate banner=”5″]

[adrotate banner=”13″]